httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 59087] DH parameters with too small prime lengths used with openssl < 1.0.2
Date Fri, 04 Mar 2016 14:51:34 GMT

--- Comment #9 from Björn Jacke <> ---
It is not possible to iterate once over the certs and use the strongest cert
for the DH param size calculation?

But in any case: If we *know* that we mis-calculate the DH param size with
openssl 1.0.1, then we should at least set the minimum DH param length to a
reasonable secure size. And 1024 is considered not secure these days. The best
solution then would be to increase the minimum DH param size e.g. to 2048,
wouldn't it? People who have interoperability issues with large DH sizes
because of Java clients or whatever can still set fixed DH parameters as
commented in ssl_engine_kernel.c already for the current (weak) 1024 limit.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message